Question on passwords for web access

[ibiubu]

Just wanted to know if there is any way to embed the user name and password in CDML code on a web page?

Specifically, I have a web page where the user types in a search criteria, hits the submit button, and then a new page comes up showing the associated data from the FileMaker Database. All this is of course using custom web publishing. But I dont want the user to have to put in the username and password. Is there anything I can add to my submit code to include this. Here is the existing code:

<input type="hidden" name="-op" value="equals" border="0"><input type="hidden" name="-lay" value="CGI"><input type="hidden" name="-db" value="@hand.FP5">

I just dont want to have the users need to know a user name and password to get into the database thru the web pages each time they perform the find. Yet I still need to maintain my access privledges in FileMaker to contol the users in the office who enter data into FileMaker directly.

Is this even possible?

LR

[Keith M. Davie]

"Just wanted to know if there is any way to embed the user name and password in CDML code on a web page?"

Are the username and password to which you refer those used in conjunction with Web Security, or are they part of an entry protocol which you have developed for "all users" / no password in Web Security?

[ibiubu]

Basically I have a database running on our local office network. Staff members access through FileMaker running on their own machines. They have their own set of usernames and passwords assigned through the built-in settings in FileMaker.

I am also publishing the database via web companion. Currently users have access to a static web page with a form where they type their search criteria and hit the submit button. They are then prompted for password information. They use guest because that is user setting I have set up in FileMaker. They then continue on to the web page with the dynamic CDML information from the database that matches their search criteria.

This all works great. Just want to get rid of one step. I dont want web users to have to know a password each time they visit the web page to do a search. I dont need to protect these web pages with passwords. But by default, if I am using passwords in FileMaker for my local network users, then web companion requires one to be entered when accessing the database through the web.

I can always turn off all passwords in FileMaker, then web users wont need one to view the web page. But then of course that means I have no control on my local network over who has access to the database through FileMaker.

It would be nice if I could just include in the CDML code on the web page the guest username and password that matches the one in the FileMaker setting on my local network. This way when they perform a find from the web page, they dont get prompted to enter a password.

LR

[Keith M. Davie]

If I understand correctly, in a browser solution one has the choice of using FMPro security or Web Security, not both.

If you use Web Security and are configured for single-user use "all users" and no password. Set your permissions in Web Security. You may want to just allow "Browse". Do not allow "Delete"

[ibiubu]

I cant believe I am the only person that wants to do this. It is such a basic concept I cant believe FileMaker makes it so hard.

Plenty of people use FileMaker to serve up information on web pages. And a lot of them do so without the viewer needing a password to access the information on the web. Lets face it, some web applications require the need for open access with NO passwords. Easy enough...just don't set anything up in FMPro security or Web Security for passwords.

But at the same time SOMEONE has to administrate the database. And if I want to require access privledges in FMPro security for office staff to edit or add records, I cant do so without at the same time having FileMaker require web visiters to use a pasword.

VERY FRUSTRATING.

[Garry Claridge]

If you are using the 'Web Security' database you can use the standard url style; e.g.

http://username:password@address:port/FMP etc

I am sure that using 'Access Priviliges' you can do something similar. I think I have seen somebody describe it here (maybe Vaughan?).

All the best.

Garry

[ibiubu]

http://username:[email protected]/FMPro?-op=equals&-lay=CGI&[email protected]&-error=errors.htm&User=&-find=Submit&-format=Summary.htm&-max=25

After trying more ways than I can remember to modify the above form action to include a username and password I finally got this one to work.

LR

[Keith M. Davie]

You may also find this cdml tag useful: [FMP-ClientPassword]

[ibiubu]

Let me add a twist to the equation...

So I have a page with the above CDML string that includes the username and password. Using this link works correctly. It opens up a new web page with the database results without prompting for a password.

Now the twist. If at this point the user returns to the first page, and on that page, along with the original link, there is another link to yet a second web page. Now since the visitor has already clicked on the first link, the username and password is already in the memory, so even if the second link does not include the username and password string, it still remembers and does not prompt for a password.

Is there anything that can be added to the second link string that would flush the first links username and password from memory?

LR

[Keith M. Davie]

-tokens, carried from the gitgo?

[ibiubu]

Tokens...way over my head. Are you saying that I need to NOT include tokens from the gitgo on my web page.

I would assume somewhere in my code is something that INCLUDES tokens, and this is what I need to change to NOT include tokens? Or do I just include some sort of -tokens in my link so that they are not carried ever to the one particular page?

I did a search on the source code for my web page for the word Token. There were none. So appenetly I am not using tokens. Does this mean that by including the username and password in the first link it has now been cached by the browser. If I use a second link to a second web page is this why I am not prompted for a password even though I did not include the username and password in the string for that link?

LR

[IdealData]

You can have an empty password ("(no password)"). Your web users don't even get prompted. Just make sure you've got the right privileges set up.

If all you're doing is offering basic finds then it should work fine.

[ibiubu]

Are you saying when I set up access privelges in FileMaker I should create a password with access privledges for browse only, leave the actual password empty. Then when users are doing a find on my web page, they dont get prompted for a password before the find results are displayed? This would then negate the need to include username and password in the form string?

How would this affect a second link on the page, say one for administrative access. Would that link then also not come up with a password prompt?

LR

[IdealData]

Have a "no password" for ALL your files.

I do !

Did you try it yet ?

[ibiubu]

Tried it. When I type in the find criteria on my web page, hit submit, nothing comes up. And of course when I hit my link to go to the admistrator web page then there is no password prompt there, which I do want.

LR

[ibiubu]

Lets approach this from a reverse angle. If a web page requires a password to be entered, and it is done, then subsiquent links dont continually prompt for the password anymore. Is there a way to FORCE a second link to again prompt/require a password to be entered?

This would solve my problem. My first link can contain username and password in the string, which lets the user go to the link without a password prompt. Then if the second link is chosen it would force the prompt to ask for the password again, which is what I want.

[IdealData]

Probably the reason nothing returns on your submit is the FM privileges do not allow EXPORT - you need this for web deployment.

If your admin file requires protection then don't have an empty password.

[Keith M. Davie]

ibiubu querried, "Is there anything that can be added to the second link string that would flush the first links..."

I offered, "-tokens, carried from the gitgo?"

ibiubu then wrote, "I did a search on the source code for my web page for the word Token."-

If you had to do a search on the source code, then you did not write the source code. Are you using IWP? If you are doing CWP and do not understand -tokens you should refer to the cdml reference db.

Regarding your password question, "Is there a way to FORCE a second link to again prompt/require a password to be entered?", the answer is Yes. However to do this you will probably need to not use the FMP username clientpassword features. Instead you will develop your own password protocol. That is what I use at my site.

With your db file(s) opened, when you click Sharing ... you get a window "File sharing for dbname.fp5". Under "FileMaker Netword Sharing" are three radio buttons. Which one do you have selected? In "Companion Sharing" what Check-boxex are selected?

[ibiubu]

It is set to Multi-User. I chose this setting so more than one person can access the database at once. Is this the correct thinking?

[Keith M. Davie]

AFAIK, single user for web publishing.

As I indicated above, you have the choice of FMPro security or Web Security, not both. For similar reasons you should have web publishing set for single user. The rest has to do with the versions you are using. I use 4.0 to serve my web site and do not host the db files in a sharing (peer-to-peer) environment. If I were to attempt that I would go to 5.0 or higher using unlimited for the web and FMPro server for the db files. But others with more experience than me can perhaps help here.

[ibiubu]

Well, there would be a reason I have not been able to get this one to work. As stated in a FileMaker document...

IMPORTANT NOTE: If you have another link on your web page that requires a different password, you cannot simply click the link and enter the password. You will have to close the browser completely and relaunch. This is a limitation in FileMaker Pro and Web Companion.

[ibiubu]

If anyone is interested...here is the solution I came up with.

Senario: 3 links on a page.

1) Link 1 includes a username and password embeded in the link. These are set with access priveledges for browsing only. No password prompt is required with this link.

http://username:[email protected]/FMPro?-op=equals&-lay=CGI&[email protected]&-error=errors.htm&User=&-find=Submit&-format=Summary.htm&-max=25

2) Link 2 is for data entry. This link uses different access privledges than the first link. The problem here is that if someone clicks link 1 first, then a username and password has already been entered for them. If they come back and click link 2, there is no way to force the password prompt to come up forcing them to enter a different password.

Slotion for link 2. Include username and passord (see link 1 sample) information in this link as well. use a different username and password than link 1 with access privledges that allow editing of records. This of course still leaves this link unprotected. I then used Adobe Golive to add a password javascript to the link. Any time this link is clicked on, a password prompt comes up. The password is entered and then the user is passed on to the database using the embeded filemaker username and password with the appropriate privledges.

3) Link 3 is administration access. I followed the same steps as for link 2. Used a different password javascript for this link and included the appropriate filemaker username and password in the link for administrative access privledges.

All in all it may not be the most sophisticated solution...but given the restraints for this scenario presented by filemaker...it works.

LR